Users can be authenticated to VCL via a few methods. There is a built in accounts system that allows users to be managed strictly within VCL. There is also support for two federated authentication systems that allow user accounts managed outside of VCL to be able to use VCL. These are LDAP Authentication and Shibboleth Authentication. By configuring VCL to use one or both of these methods, VCL administrators do not have to manage user accounts. Both of the methods can be used by themselves, but they can also be used in conjunction with each other. By using them together, you gain the benefit of VCL being able to look up information about users to do things like validate userids and manage user group membership via LDAP but also have the extra security Shibboleth brings by not having users enter passwords directly into the VCL site.
See also
Overview
Content Tools
Apps